70-240 in 15 minutes a week: Active Directory and DNS - Part 2 Page 3

One of the major improvements between Windows 2000 and Windows NT 4 is the fact that the decision on whether or not a server becomes a domain controller is made independent of the actual OS installation. As such, turning a member server into a domain controller (or vice-versa) is something that can be done without needing a complete reinstallation. The tool used to install (or uninstall) Active Directory on a server is the Active Directory Installation Wizard, dcpromo.exe. The section takes a look at the various decisions to be made throughout the wizard.

Before getting started, there are a few important requirements that you need to be aware of, as listed below:

- The system must be running Windows 2000 Server, Advanced Server, or Datacenter Server
- AD installation requires a minimum of 200 MB disk space for the AD database, and 50 MB for the transaction log files. These can be placed on FAT. FAT32, or NTFS partitions
- The server must have at least one NTFS partition, to house the SYSVOL folder.
- TCP/IP installed and configured to use DNS is required
- Appropriate administrative privileges are required.

The Active Directory installation wizard can be used for a few different purposes, and you should be aware of the reasons. These include creating a new forest (a new root domain), adding a domain controller to an existing domain, creating a new tree, and creating a new child domain. It is very important to pay attention during the wizard to ensure that you are making the correct choices, especially when creating the root domain of the forest, since this cannot be renamed for example. For the purpose of this article, I will cover the installation of a new root domain. You should familiarize yourself with the other options, however.

The wizard begins by asking if you are creating a new domain, or adding a domain controller to an existing domain. The second option is less involved, since the domain will already have been created.

After
choosing to create a new domain, we are presented with the
option of creating a new domain tree (as we are going to choose
since we are creating a new forest root), or creating a child
domain.

After
choosing to create a new tree, we must choose whether we wish to
create an entirely new forest, or add this tree to an existing
forest. Note that creating a new forest creates an entirely new
AD structure.

The new
domain (in our case the root domain) must be named according to
DNS naming conventions. Since I have already created the
associated DNS zone, I will not be prompted with any errors, and
the wizard will not offer to create the zone for me. The second
screen after providing the domain name asks for the name is
Netbios format (provided by default and truncated to 15
characters if necessary) for older clients such as 95, 98 and
NT, who still rely on Netbios for things like logon.

The next
decision is with respect to where the AD database and associated
log files should be placed. Make note of the fact that for best
performance, these should be placed on separate hard disks if
possible. By default they are both placed in the %systemroot%\NTDS
directory.

The next
decision is to choose the location of the SYSVOL, the folder
that contains files relating to the domain such as group policy
objects, logon scripts, etc. This must be a NTFS partition, and
will be replicated by the file replication service (FRS)

The
next step is something that you must pay attention to,
especially if your environment still has NT 4 -based
application services in use (RAS for example). A remote access
server will need to check user properties in Active Directory,
and if the first option shown below is not chosen, the NT 4 RAS
server will not be able access the information, since RAS using
a null session to communicate with the domain controller. Note
that this 'loosening' of permissions could allow an
anonymous user to read some information in Active Directory.

You
will also need to choose a password to be used when this
server's administrator account for the purpose of accessing
directory services restore mode (from the advanced startup menu)

After all of the information has been entered, you are given an opportunity to review what has been selected, and upon confirming the domain is created. The domain controller installation process can also be automated with an unattended install. The syntax is
dcpromo.exe /answer:answerfilename. For a look at the syntax of the dcpromo answer file, check the file unattend.doc in the deploy.cab file found in the \support\tools directory of the Windows 2000 CD.